HIPAA UPDATE

What’s New and Need-to-Know?

The privacy regulations that were passed into law years ago — known as the Health Insurance Portability and Accountability Act (HIPAA) of 1996 — are being continually updated according to the provisions of the original law. For example, because Congress recognized that advances in electronic technology could erode the privacy of health information, the legislative body incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information.

The U.S. Department of Health and Human Services (HHS) published a final regulation in the form of the Privacy Rule in December 2000, which became effective April 14, 2001. The rule set national standards for the protection of health information, as applied to the three types of covered entities: health plans, healthcare clearinghouses, and healthcare providers who conduct certain healthcare transactions electronically. By the compliance date of April 14, 2003 (April 14, 2004, for small health plans), covered entities were required to implement standards to protect and guard against the misuse of individually identifiable health information. Failure to follow the law could incur civil or criminal penalties.¹

Various other standards were clarified and had later “active” dates, such as the security portion of HIPAA.

There are two new items associated with HIPAA, says Troy Kishbaugh, JD, partner at GrayRobinson law firm in Orlando. “No. 1 is the security rules regarding electronic protected health information (EPHI). [Covered entities] should have been in compliance with those rules by April 21, 2005. What the security rules do is address administrative, technical and physical safeguards concerning EPHI. No. 2 is recently published complaint guidelines. Basically, if an individual believes there has been a violation — an unlawful use or disclosure of their PHI — there have been some new guidelines of regulations proposed regarding the complaint procedures or complaint process.”

There is an official complaint process now in place. “If an individual believes there has been an unlawful use or disclosure, they’ll be able to file a complaint with the Office for Civil Rights to determine if there has been an actual violation. They already had some complaint guidelines in the original HIPAA privacy rule, but they did indicate the secretary would be issuing more detailed guidelines. I believe they’re in a proposed form,” says Kishbaugh. “There’s a procedure for filing complaints, procedures for initial processing of complaints by CMS — it goes to CMS and to HHS. You can make complaints in two ways — you can file them over the Internet or you can mail them.”

As for the security issue, that mainly applies to electronic systems. “There are certain addressable standards, and then there are certain required standards,” he explains. “For example, you want to make sure your computer system cannot be easily accessed from the outside. You’ll have some sort of firewalls on the system. For all individuals who have access to EPHI online, you’ll want to make sure all their passwords are unique and that people don’t share passwords. You want to make sure these systems have a screensaver mode, so if a person walks away from the computer for a certain number of minutes, the screensaver will automatically turn on and the screensaver will require a password to get back on.”

Data storage backup is also necessary, in case the system crashes or there is a catastrophe; there must be data off-site that can be retrieved if necessary. Kishbaugh recommends a daily data backup. “Here in Florida, we had four hurricanes in three months, and what a great idea to have this emergency backup plan. I didn’t really consider emergency planning until Sept. 11, but then I thought, ‘What if your whole building goes down?’ Now I’m thinking, have a hurricane come through. That could destroy our computer system with rain, or then there are disasters such as fire or tornado.”

If your healthcare facility is owned by physicians as well as non-physician owners, the non-physician owners must abide by HIPAA and protect the privacy of EPHI. “That would be handled through the shareholders’ agreement, through the company policy and procedures. Whether it’s an LLC, managing members, board of directors, you want to make sure the policies and procedures apply also to them, and they should also go through the training. They should have regular updates. If they don’t buy in at the top, in the governing structure, it’s not going to happen throughout the entire organization,” says Kishbaugh.

Disclosure of EPHI to the wrong party — if the fax or phone number is incorrect, for example — is illegal. Healthcare facilities have a responsibility to update these numbers at least once a year, but preferably, every six months. If it is an inadvertent error, then the staff would need to be retrained, and it would be handled through modification and training and documentation of the error. “If the person does it again, your disciplinary process would increase each time, until ultimately we recommend termination, like if it’s the third time. If it’s an intentional disclosure, fire immediately! You cannot have that; it is that critical that you maintain confidentiality, because you could be on the other side of that table,” Kishbaugh asserts.

Sending EPHI to the wrong location can be disastrous; one of Kishbaugh’s clients, a healthcare facility, faxed EPHI to the wrong number. When the recipient called to notify the center of the error, he attempted to extort $10,000 from them, threatening to tell the government if they did not “pony up” the money. “We could have reported him,” Kishbaugh recalls. “He’s not covered by HIPAA, because he’s not employed by a covered entity, so the criminal penalties wouldn’t apply to him. You can get $250,000 or 10 years in prison for malicious harm for pecuniary gain.”

Kishbaugh called the attempted blackmailer and informed him, “‘Either return the fax or I’m reporting you to the state attorney general’s office.’ We got it back rather quickly.”

A man in Seatac, Wash., was a phlebotomist at the Seattle Cancer Center. He was convicted of obtaining credit cards using PHI obtained from his employer. Richard W. Gibson, age 42, pleaded guilty to “wrongful disclosure of individually identifiable health information for economic gain” and received the first criminal conviction under HIPAA.²

Gibson admitted to obtaining a cancer patient’s name, date of birth and social security number and using that information to acquire four credit cards in the patient’s name, accumulating more than $9,000 in debt. As part of his plea agreement, Gibson was sentenced to 16 months in prison — a longer term than the prosecutors had requested — and restitution to the credit card companies and to the patient for expenses incurred as a result of having his identity stolen.

Endoscopy centers often encounter one particular legal issue that causes problems — subpoenas. “Subpoenas are not being properly drafted regarding notice provided to the patient or that they’ve sought a qualified protective order in order to obtain records. We need to somehow educate the legal community about HIPAA privacy rules. The subpoena must identify that the records are being requested and you’ve given the patient notice, that the patient either hasn’t responded or has not filed an objection, or that the objections filed by the individual have been resolved by the court, or what the subpoena needs to show is that there has been a qualified protective order obtained,” Kishbaugh says. “We call the lawyer and let them know they didn’t serve it right, and even send them a form.”

Also, many healthcare providers do not realize that if they deal with a business associate such as an attorney, and the attorney uses an expert and discloses PHI to the expert, the attorney must enter into a sub-business associated agreement with that expert to ensure she does not unlawfully disclose that information. “That’s not happening a lot; our law firm does it; most aren’t — they’re probably using some sort of agency argument, but I still would say you have to enter into a subbusiness associated agreement. Say the covered entity uses a management company and the management company outsources the billing. The covered entity would have a business associated agreement with the management company, and the management company would have a sub-business associated agreement with that billing company.”

With the advent of HIPAA also came software and other tools to handle security of PHI. Gary Bradt, vice president of the biometric division at Silex Technology America, explains what they offer for protection. For 30 years, Silex has been providing information security to other industries. Bradt says, “In April of last year, they launched a biometric offering in the U.S. They came out with a number of fingerprint readers as their initial offering; the COMBO-Mini is relatively new, and if you were to hold one in your hand, it’s about the size of your thumb or a little bit bigger. Nurses can wear it around the neck. On the back of it, there is a smartcard. Now you can store your encrypted information on that card, not your computer.”

Silex offers physical access door devices as well. There is also an option to control the intellectual property on a computer; software can encrypt any file or application and provide biometric authentication on a laptop computer. If a nurse loses the portable device with encrypted patient information on it, it will not work if someone else tries to use it, because the device requires fingerprint identification first.

Jeffrey Green, director of compliance at Laserfiche, discusses an electronic method for storing medical records safely and in a format that is accepted by courts of law. “We allow for a medical organization to be able to control content relative to patient care in a way they cannot do with paper documentation,” he says. “We can electrically import, or actually scan-in, patient records, and we can secure them in a file format that from a compliance standpoint is always going to remain available and has legal standing in court because they’re accessible by the nurse but not alterable by the nurse.

“We can apply security all the way down to the individual word or section of the patient file itself,” he adds. “The record will be locked up so the nurse can not only protect confidential information on that record, but might even be able to give the name, address, that sort of information, to an administrative assistant to do billing, but not confidential medical reports, which would be electronically redacted off the record. It still exists there; we haven’t altered the record. We’ve simply eliminated it from view based on the security profile of the user.”

Green questions how much of a nurse’s time is spent with paperwork and maintaining privacy. “Cumulatively, over the course of an entire nursing staff and hundreds of patients, I submit that is an inordinate burden on them,” he says.

“Within Laserfiche, you cannot alter the original scanned-in, archived document, but we allow you the ability not only to apply what amounts to a black magic marker over content so you can’t read it, but to put sticky notes on it, and they can write notes on it, so it’s a living, breathing document, except for the underlying scanned-in image.”

This is a tremendous advantage, Green says, especially because the information must be maintained in a format that is nonproprietary and will always be available, if it is to stand up in a court of law. It must also be accessible by the reader but not alterable. If, for example, it were stored in Adobe PDF format, if Adobe went out of business, the file might no longer be available. So Laserfiche utilizes TIFF files — image files — to store patient records. “Our solution is designed so that if you can use Windows Explorer and Google, you will intuitively know how to use it,” he adds. “The key is to have the medical professional comfortable moving from paper to digital. That is best accomplished by playing to what the average person does with a computer.”

Works Cited

1. www.hhs.gov/ocr/hipaa/guidelines/overview.pdf

2. www.usdoj.gov/usao/waw/press_room/2004/aug/gibson.htm

Share this article: Email, Slashdot, Digg, Del.icio.us, Yahoo!MyWeb, Windows Live Favorites, Furl
Add this article feed to: RSS, My Yahoo, Newsgator, Bloglines